You’ve been hacked. Now what?
The Colonial Pipeline ransomware attack last spring and its troublesome aftermath sent shockwaves through the industrial world. The audacity of the perpetrators and impacts on the supply chain were shocking.
It was the most impactful cyberattack on an oil infrastructure target in the history of the U.S.
When the attackers took control of the computerized equipment managing its pipeline, Colonial halted all its operations to contain the damage. That, in turn, prompted the Federal Motor Carrier Safety Administration to issue a regional emergency declaration for 17 states and Washington, D.C. to keep fuel supply lines open.
Colonial paid the requested $4.4 million in ransom within several hours of the attack. With FBI assistance, it was able to identify the criminal hacking group and recover more than half of the money it paid. But the damage had already been done, as the experience had exposed some rather terrifying vulnerabilities in the industrial and oil and gas markets.
Jeff Moulton, president and CEO of cybersecurity research and service company Stephenson Technologies Corp. in Baton Rouge, says ransomware attacks, hacks, compromised networks and data spills have become the new normal, and no one is immune. “The whole paradigm has changed,” Moulton says. “You’re no longer judged by the fact that you’re attacked; you’re judged on how you respond.”
Stephenson Technologies was created some seven years ago as an applied research hub for LSU but has since begun to operate independently from the university, as much of its work is classified. The entity recently moved into a 25,000-square-foot space at The Water Campus in Baton Rouge and is involved in a number of private- and public-sector cybersecurity projects.
Moulton says ransomware is the most common—and highly publicized—type of attack. Unfortunately, it’s being perpetuated by those companies that pay the ransom. “The attackers are now exploiting you in two ways—they make you pay to get your data back, and they’re making you pay so that the data isn’t shared on the Dark Web,” Mouton says.
A particular vulnerability for industrial owners is the increasing connectivity between systems that manage back-office functions and operational processes. “If they’re connected, they’re vulnerable,” Moulton says. “There used to be no overlap, but because of economics it has become desirable to have one system to operate both. You’ve gained some convenience but increased your attack surface exponentially.”
No company is immune from a cyberattack, he says, and size doesn’t matter. “They’re not looking for a specific thing,” he says. “They’re automated programs (auto scripts) constantly looking for vulnerabilities in any system. There’s not a person there targeting you, specifically.”
Therefore, it’s just a matter of time. The difference, he says, is in how a company prepares and responds.
CREATE A RESPONSE STRATEGY—BEFORE IT HAPPENS
All companies should have a response strategy that identifies a crisis response team and defines key roles and responsibilities. It should also identify a company’s critical assets. “What are those programs, services, processes etc. that you absolutely have to have to continue the business?” Moulton says. “Those get the attention first and you work your way back from there.”
An owner should also have a readily available contact list with all applicable governmental institutions that need to be alerted following an attack, including law enforcement, the FBI, the Department of Homeland Security and others. “Mandatory reporting might even be on the horizon at some point,” he adds.
Additionally, the legal team should assist in developing good internal policies and in the creation of a prepared external message. “Colonial Pipeline had their stuff together,” Moulton says. “They responded pretty well. Unfortunately, they didn’t understand the degree of the cascading impacts of the attack.”
PRACTICE, PRACTICE, PRACTICE
Simply having a response plan isn’t enough. A company should empower its response team to practice their response to an attack. “You need to practice a plan to become proficient,” he says. “You need to know who is going to do what, when, how and where.”
As such, there needs to be a line item in the budget for the cyberattack response. “You need to allocate money for ‘after care’ measures,” Moulton says. “Have a budget in advance. Your action response team should have money up front to put the fire out.”
Moulton admits that convincing upper management of the need for such a fund can be a tall order, but it’s a conversation that needs to happen.
MAP THE DATA FLOW
A company should know where its data is located and how it moves through the organization. In many cases, the data is managed by someone who is largely ignorant of the dangers and isn’t adequately trained. “If you don’t know how your data flows, you can’t protect what you can’t see,” Moulton says.
BACK UP THE DATA
Companies should frequently back up their data—daily if possible—and have multiple copies. They should also limit the number of system administrators and use complex passwords. “And don’t put the backup on the same system that you have everything else on,” Moulton says. “I’ve seen that way too many times.”
GET DATA INSURANCE—AND READ THE POLICY
A cyber insurance policy can be a good thing, but Moulton warns that no two policies are the same. Some policies might specify that the insured can’t touch the system until a professional has performed a forensic investigation. That could lead to lengthy downtime.
“You need to make sure what you’re getting is what you think you’re getting,” Moulton says. “That should only be one arrow in the quiver, not the entire quiver. I tell people to get insurance, but don’t be a slave to your insurer. You need to know what it covers and the limitations.”
WHEN AN ATTACK HAPPENS, NEVER PAY THE RANSOM
Once an attack happens, a company has two options: Pay the ransom or pay nothing and rebuild its system using backups. But payers be warned. “If you pay the ransom, you’re sending the message that you’re a valuable target and it’ll happen again,” Moulton says. “And there’s no guarantee that they’ll release your system once the ransom is paid. Then you’re out of both money and data.”
“Don’t start unplugging stuff right away after you’ve been hacked,” Moulton advises. “First try to understand what’s going on in your system. Pulling the plug is not necessarily the right answer.” A company shouldn’t focus its attention on finding its attacker—at least initially. Instead, it should concentrate its resources on resolving the issue.
DON’T RUN BACKUPS DURING AN ATTACK
Typically, there is a lot of corporate pressure to get systems back up and running, so many owners make the critical mistake of backing up the system in the middle of an attack. “You want to make sure you sever that tie before you start running a backup,” Moulton says. “[Not doing so] will just make things worse.”
AFTER THE DUST SETTLES, IMPROVE YOUR PROCESSES
After a cyberattack is over, a company should review lessons learned, then improve its security policies and incident response protocols based upon that experience. It sounds like common sense, but many companies seemingly never learn, Mouton says. “It’s obvious that there are some rather large companies who aren’t doing that, because they’re continuously getting hacked.”